We get data in using HEC tokens, and the data is flowing just fine. But when we try to view the HTTP Event Collector panel under Indexing > Inputs, it says we have no tokens configured. How do we con...
See more...
We get data in using HEC tokens, and the data is flowing just fine. But when we try to view the HTTP Event Collector panel under Indexing > Inputs, it says we have no tokens configured. How do we configure the MC to see the existing tokens?
Hi @edoardo_vicendo , Do you still have your working setup? Do you find that introspection logs from the HEC receiver instances report metrics for tokens used by "/services/collector/raw" and "/ser...
See more...
Hi @edoardo_vicendo , Do you still have your working setup? Do you find that introspection logs from the HEC receiver instances report metrics for tokens used by "/services/collector/raw" and "/services/collector/event", but not "/services/collector/s2s" ? index="_introspection" component=HttpEventCollector data.token_name=*
@tungpx Just assign the $click.value2$ to your token on drilldown. Here is a run anywhere example <dashboard version="1.1" theme="light">
<label>Table DrillDown</label>
<row>
<panel>
...
See more...
@tungpx Just assign the $click.value2$ to your token on drilldown. Here is a run anywhere example <dashboard version="1.1" theme="light">
<label>Table DrillDown</label>
<row>
<panel>
<table>
<search>
<query>|makeresults
| eval user="A B C"
| makemv user
| mvexpand user
| streamstats count
| eval ID1=user.count
| eval ID2=user.count.0
| fields - _time</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<set token="token_value">$click.value2$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h2> index=myindex <b> <font color="red"> ID=$token_value$ </font> </b></h2>
</html>
</panel>
</row>
</dashboard>
Good Morning; I am requesting a link to download a previous version of Splunk Forwarder. Requesting Windows x64 7.2.6 I'm trying to repair the installation but it is requesting the MSI to complet...
See more...
Good Morning; I am requesting a link to download a previous version of Splunk Forwarder. Requesting Windows x64 7.2.6 I'm trying to repair the installation but it is requesting the MSI to complete. Thank you
Hello, I would like to merge 2 index clusters. Context 2 indexer clusters 1 search head cluster Objectives Add new indexers to cluster B. Move data from cluster A to cluster B. Remove clus...
See more...
Hello, I would like to merge 2 index clusters. Context 2 indexer clusters 1 search head cluster Objectives Add new indexers to cluster B. Move data from cluster A to cluster B. Remove cluster A. Constraint Keep service interruptions to a minimum. What do you think of this process: Before starting Make sure the clusters have same Splunk version. Make sure the clusters have same configuration. Make sure volumes B can absorb indexes A. Make sur common indexes have the same configuration. If not, define their final configuration. Add new peer nodes Install new peer nodes. Add new peer nodes in cluster B. Rebalance data. Add new peer nodes in outputs.conf and restart. Move data Remove peer nodes A from outputs.conf and restart. Move indexes configuration from A to B. Copy peer apps from A to B. Put peer nodes A in manual detention to stop replication from other peer nodes. Add peer nodes A in cluster B. Remove peers node A One indexer at a time: Remove peer node A from cluster B. Wait for all the fixup tasks to complete to get the cluster meet search and factors. Rebalance data. Finally Make sure there is no major issue in the logs. Update diagram and inventory files (spreadsheets, inventory files, lookups, etc.). Update dashboards and reports if necessary.
I can't seem to find anything in known issues that matches your problem on the version that your team is using. https://docs.splunk.com/Documentation/ES/6.6.2/RN/KnownIssues Restricting access ...
See more...
I can't seem to find anything in known issues that matches your problem on the version that your team is using. https://docs.splunk.com/Documentation/ES/6.6.2/RN/KnownIssues Restricting access to indexes should not affect the capability to make changes to the IR dashboard (unless the notable index has been restricted too). The one recommendation I have is to ask the Splunk admin to see if they are restricting the capability to edit notables in the custom roles that may have been developed for restricting access to indexes. Also, if possible if you could share the error that you encounter while editing the notables, it will help us to help you to find a solution.
Thank you @ITWhisperer. This seems to be working however it is not displaying the "No events found" where there are 0 or blank events. Attached snapshot below. Also, can you please explain the quer...
See more...
Thank you @ITWhisperer. This seems to be working however it is not displaying the "No events found" where there are 0 or blank events. Attached snapshot below. Also, can you please explain the query.
FWIW, the appendcols command rarely factors into a solution. The conditions for it to work correctly are to narrow. The general form to solve a problem like this is to search the index for field va...
See more...
FWIW, the appendcols command rarely factors into a solution. The conditions for it to work correctly are to narrow. The general form to solve a problem like this is to search the index for field values that are not in the lookup table. index=prod_syslogfarm NOT [ | inputlookup myinventory.csv IP_Address | fields IP_Address | format ]
| stats count by IP_Address
| lookup myinventory.csv IP_Address OUTPUT Hostname Environment Tier3 Operating_System
| rename Hostname as missingname
| table missingname Environment Tier3 Operating_System
We need more information. What version of Splunk is the forwarder? Is it a Universal Forwarder or Heavy Forwarder? What version of Splunk is the Deployment Server? (FTR, the DS does not push conf...
See more...
We need more information. What version of Splunk is the forwarder? Is it a Universal Forwarder or Heavy Forwarder? What version of Splunk is the Deployment Server? (FTR, the DS does not push configurations - forwarders pull them from the DS.) What error messages are in the forwarder's splunkd.log file?
Can someone help me understand what I am doing wrong here?
My requirement is I have a index=prod_syslogfarm which will report on the devices forwarding logs to the syslog collectors. The devices...
See more...
Can someone help me understand what I am doing wrong here?
My requirement is I have a index=prod_syslogfarm which will report on the devices forwarding logs to the syslog collectors. The devices may report with either hostname / IP address / fqdn. Now, I have to compare this with our master asset inventory (which is the lookup below myinventory.csv) and create a report with the host names that are not seen in prod_syslogfarm index. I am making hostname as common field for the main search and the lookup file and below is my query.
Below query is not working as the report contains the hostnames that are there in the syslogfarm index.
index=prod_syslogfarm | stats count by IP_Address | lookup myinventory.csv IP_Address OUTPUT Hostname | table IP_Address Hostname | rename Hostname as Reporting_Host | appendcols [ search index=prod_syslogfarm | eval fqdn_hostname=lower(fqdn_hostname) | eval Reporting_Host=lower(Reporting_Host) | eval Reporting_Host=mvappend(Reporting_Host, fqdn_hostname) ] | dedup Reporting_Host | table Reporting_Host | rename Reporting_Host as Hostname | appendcols
[inputlookup myinventory.csv | eval Hostname=lower(Hostname)
| stats values(Hostname) as cmdb_hostname by Hostname ]
| eval missingname = mvmap(cmdb_hostname, if(cmdb_hostname != Hostname, cmdb_hostname, null()))
| table missingname | mvexpand missingname | lookup myinventory.csv Hostname as missingname OUTPUT Environment Tier3 Operating_System
| table missingname Environment Tier3 Operating_System
Hi Team, my CSV file contains a field like bellow (1st line in CSV) How can i create transformation for field extraction
"State","Location name","Primary Number"
its retrieving a field state an...
See more...
Hi Team, my CSV file contains a field like bellow (1st line in CSV) How can i create transformation for field extraction
"State","Location name","Primary Number"
its retrieving a field state and Location
Expected Fields: State Location name Primary Number
After Splunk Forwarder installation deployment server is not able to push the configuration to the forwarder or the forwarder is not able to communicate with splunk ...
See more...
After Splunk Forwarder installation deployment server is not able to push the configuration to the forwarder or the forwarder is not able to communicate with splunk
Hello everyone, I want the Kerio Control technical guide that provides details on how to set up and configure a Syslog server to send logs to Splunk log management systems.
Hello,
I have a table in a dashboard like so
User
ID1
ID2
A
ABC
123
B
DEF
456
C
GHJ
789
I have set a dilldown token like so
<set token="id1...
See more...
Hello,
I have a table in a dashboard like so
User
ID1
ID2
A
ABC
123
B
DEF
456
C
GHJ
789
I have set a dilldown token like so
<set token="id1">$row.ID1$</set>
<set token="id1">$row.ID1$</set>
I have a below table that I want to pass these token down. For example, when I click at ABC at ID1, it will pass the token id1 aka value "ABC" to below query, when I click at 456 at ID2 it will pass the token id2 aka value "456" to below query.
The query will be
index=myindex $id1$ (if I click on a value in ID1 column)
or
index=myindex $id2$ (if I click on a value in ID2 column)
I push in the right direction would be very appriciated.
Thank you
Hi All, I recently found out that my Syslog Server is creating duplicates for all log files. I checked the packets ´pcap´ from one host and it contains unique logs but syslog has duplicates. Ho...
See more...
Hi All, I recently found out that my Syslog Server is creating duplicates for all log files. I checked the packets ´pcap´ from one host and it contains unique logs but syslog has duplicates. How do I prevent syslog from creating duplicate logs? Is there a way to prevent Splunk from ingesting duplicate logs? #syslog #linux #duplicates
Hi @seyongkim, Splunk MLTK 5.1.3 is compatible with Splunk Enterprise 8.0.0 or higher, or Splunk Cloud Platform. https://docs.splunk.com/Documentation/MLApp/5.3.1/User/Installandconfigure#Requirem...
See more...
Hi @seyongkim, Splunk MLTK 5.1.3 is compatible with Splunk Enterprise 8.0.0 or higher, or Splunk Cloud Platform. https://docs.splunk.com/Documentation/MLApp/5.3.1/User/Installandconfigure#Requirements
Macro expansion is just textual, there is no context held during expansion, so the expansion doesn't interpret any values passed to the macro, it simply replaces the text of the macro "call" with the...
See more...
Macro expansion is just textual, there is no context held during expansion, so the expansion doesn't interpret any values passed to the macro, it simply replaces the text of the macro "call" with the body of the macro substituting parameters as it goes, then tries to expand any macros which have been added, and so on.